[Operators] Post-google TLS on s2s connections

Philipp Hancke fippo at goodadvice.pages.de
Thu May 23 16:59:57 UTC 2013


Am 23.05.2013 17:38, schrieb Olle E. Johansson:
> Now, with old SSL/TLS the server requiring a client cert had to say
> "I only accept client certs from these CA's". With TLS 1.x something
> this was removed, which opens up a lot of new possibilities for
> self-signed certs verified by other means, like with DANE
> or the HTTP/PKI verification that is being worked on.
>
> Unfortunately it's hard to require people to update their OpenSSL
> or gnuTLS stack to get this, which means that there has to be
> a small set of CAs used for client certs for this to work in a
> federation, which stinks...

ISTR that sending an empty list has worked for a couple of years -- at 
least between implementations using openssl. Haven't seen any problems 
when we interop tested s2s (back in 2010).


More information about the Operators mailing list